While businesses are ramping up their risk mitigation efforts, they could be doing more

Zurich North America and Advisen have released a survey of corporate risk managers and insurance buyers revealing current views about information security and cyber risk management.

The survey results indicate that risk professionals are increasingly aware of their intensifying cyber risks and the need to manage them using risk mitigation and risk transfer. However, a deeper dive into the numbers found that there is much room for improvement in building cyber resilience.

Sixty-five percent of respondents have invested in cybersecurity solutions to mitigate risk, which means that 35 percent of respondents still have not.

“At Zurich, we have been advocating for increased cyber resilience among businesses for years so seeing a continued increase in take up rate and strengthening risk mitigation efforts is very encouraging,” said Michelle Chia, Head of Professional Liability and Cyber for Zurich North America.

“The survey results also tell us, however, that more work needs to be done to increase cyber resilience and we are committed to providing businesses the resilience strategies they need through education and support.”

Gaps in risk mitigation efforts

The survey results reveal gaps in risk mitigation efforts among respondents especially related to risk monitoring, employee training and vendor risk assessment efforts.

Risk monitoring: Most risk managers taking the survey are not monitoring cyber threats to their organizations frequently enough. Thirty-two percent of respondents shared that they monitored for cyber threats monthly and 28 percent just quarterly. The report states that “…in today’s fast-changing environment, even monthly threat assessments will leave organizations ill-prepared for both threat actors and their cyber insurance renewals.”

Vendor risk assessment: At 52 percent, barely half of the survey respondents say vendor risk assessment is a part of their risk mitigation plans. Also, respondents categorized business interruption due to technology failures or supplier cyber disruptions only as a moderate concern on the list of their business continuity concerns. With cybercriminals increasingly leveraging third-party vendors to launch attacks on a broader scale, companies should be forewarned that vendor risk is not an area to ignore.

Employee education: Human error is a major factor in successful cybersecurity breaches. With cyber threats evolving daily, more frequent training opportunities that keep employees in the loop on threats and help them identify and thwart efforts by bad actors will be critical in minimizing cyber events. Yet only 17 percent of respondents indicate that their companies offer cybersecurity training on a monthly basis. Annual training is the most common response chosen at 30 percent of survey respondents, with 25 percent conducting employee cyber education on a quarterly basis.

Low confidence in tackling ransomware

Eighty percent of respondents say they feel very or moderately prepared to face a ransomware event. However, respondents also worry that no matter how much they prepare, it will not be enough to fully overcome a ransomware attack.

A focus on business interruption persisted through the survey’s ransomware section; and the “unknowns” of ransomware were apparent in the survey with one respondent adding, “While our cyber risk security efforts seem very robust, it’s difficult to know what we don’t know.”

Other key findings of the 2021 survey include:

• The hard cyber insurance market is hitting buyers on all fronts including retention, limits, price, and coverage. Respondent comments show significant worries about a “completely dislocated” market with triple-digit rate increases, shrinking coverages, and skepticism over whether insurers adequately analyze effective loss prevention measures.
• Buyers’ frustration with the cyber insurance market’s policy wording varies from carrier to carrier, which makes it difficult for policy holders to compare solutions.

Considering the current state of the insurance market, risk managers will find pre-breach mitigation planning and excellent cybersecurity controls to be mandatory for underwriters. This year’s survey highlights a few areas where risk managers may be lagging and where their insurance partners can offer education and support.

“This survey reveals that customers are concerned with the changing market and what it will mean to their renewal process,” added Chia. “Risk managers are looking for coverage that protects their business at the right price and are also looking for solutions to mitigate their risk. With so many unknowns, they may find that the answers to business resilience are right in front of them in the form of risk mitigation.”